Against a sophisticated attacker, nothing connected to the internet is secure. Not your GMail account, not your Facebook account, not your website, not your home computer (especially if you are using WiFi), not industrial facilities, not governments.
While this may not absolutely always hold, I am increasingly convinced that the right way to treat the internet is to act as if this is so. If there is some information you absolutely want to keep private, keep it in a form that is not linked to the internet. Dig out an old computer for non-networked use or, better yet, use paper. Accept that anything you put online, even in a private email, could end up on display to the entire world.
People can certainly do a lot to protect themselves from what are essentially untargeted attacks. The people who run botnets just need control of random computers, and their attack methods are good enough to breach security on your average system. If security in yours is significantly better than average, you are probably at little risk from such annoyances. Everything changes, however, when the attacker has resources and expertise at their disposal, and they have you for a specific target. Organizations like governments, corporations, and organized crime groups have these resources, and attack techniques are always spreading to less sophisticated operators. As they say at the NSA, “Attacks always get better; they never get worse.”
Similarly, it is safest to assume that there is no mechanism that you can use to secure a non-networked computer from a sophisticated attacker. You can use encryption, but chances are they will be able to pull the passphrase from somewhere or find some workaround. If that passphrase is short, it can be defeated using brute force dictionary attacks. If it is stored anywhere on your computer, phone, or the internet, it can be found.
If you want secure encryption, use something like random.org to generate a random alphanumeric string with as many bits of data as the encryption you are using (there is little point in using 256-bit AES with a weak key like ‘AnteLope2841′. You need a key like:
xxDTAJjghYCb7YFm8zcV6YYhmgmvmNxE.
Once you have a strong key, write it down on paper, keep it locked up, and never use it for anything other than decrypting that one file.
{ 54 comments… read them below or add one }
If you are going to use random.org to generate keys, at least use the HTTPS version, preferably on some random computer that is unlikely to be monitored.
Also, part of the gap between the entropy of commonly used keys and the requirements of strong encryption is filled by key strengthening.
Treating the internet as something that cannot be secured could carry big personal costs. For instance, email has a lot less value if it can only be used for information you would be OK with seeing released publicly.
That’s true.
For many people, it may be sensible to continue behaving as usual, despite being aware of the risks. Convenience and the ability to share information easily both have considerable value – sometimes, more than the value of privacy.
Another thing that would be very hard to give up about GMail is the search and archiving capabilities. With GMail, it is simple to find a specific message from years ago.
Keeping your email on your own machine might make it more secure, but you pay a price in lost capabilities.
Data protectionism
Serfing the web
A small spat highlights a big issue: who owns your online identity?
Nov 11th 2010 | SAN FRANCISCO | from PRINT EDITION
SUCH is Facebook’s attraction these days that even Britain’s monarch has finally joined the 500m-plus users of the online social network. On November 8th Queen Elizabeth II launched a Facebook page to publicise the royal family’s doings. Within a day, it had attracted almost 200,000 “likes” from around the world plus messages such as “Hello Liz xxx”. But it had also turned into a forum for an acrimonious slanging match between supporters of the monarchy and its critics.
Buckingham Palace says that the Queen’s e-mail address, if she has one, is secret. But it will not end in gmail.com. That will spare her from another wrangle—a kind of digital trade war. On November 5th Google introduced a technical change that blocks its e-mail users from automatically transferring their electronic address book in one lump when they set up a Facebook account. It is part of Google’s efforts to defend its dominance of the internet from Facebook’s growing challenge (as is Google’s announcement this week giving all its 23,000 employees a 10% pay rise and a $1,000 bonus, which is an attempt to halt defections to Facebook).
Both Google and Facebook are run like absolute monarchies in which hundreds of millions of users (digital serfs, some might say) have created identities. Rather like mercantilist countries in the offline realm, both companies operate policies to protect this asset.
The Economist has interviewed, anonymously, executives past and present at 11 Western companies that have been bought by or have sold stakes to Chinese firms, or have been in negotiations to do so. Ten of the deals discussed were worth more than $1 billion. What these people say provides an insight into both China’s capacity to expand its companies abroad and the opaque workings of its state-backed firms. The impression they give is a mixture of awe at China’s ambition and technical skill and a far more qualified assessment of Chinese companies’ ability to run international businesses.
The meat of the negotiation often has two parts: marathon sessions at an investment bank’s offices, often in London, and visits by target firms’ executives to mainland China or Hong Kong. There they may be expected to make epic PowerPoint presentations to giant audiences, and to attend banquets and intimate discussions, often in hotels owned by the bidder.
Most visitors are impressed by Chinese firms’ technical nous. Both sides try to make friends: “Emotion and trust matter,” says a Briton, because authority within Chinese firms is opaque and arbitrary. Chinese negotiators often use booze to break down barriers—and to try to get the upper hand. This is a well-known tactic, says a European of hazy days he spent in a hotel dealing with the fine print. “They would bring in people to try to get you drunk…At one point I was sure they’d brought in a lady from the switchboard.”
Most targets of Chinese takeovers need an interpreter. It pays to be wary. The head of a mining firm grew fond of his, but jokes, “She was clearly an internal spy.” Most executives say they trusted their hosts. But not all. A European says, “They knew everything about me,” and adds, “I had 52 hits from China on my home computer.” Another boss negotiating a controversial natural-resources deal found the atmosphere sinister. “You had to take your battery out of your mobile phone. You were told the rooms were bugged.”
Who spies on your browsing history?
Cory Doctorow at 11:53 PM Wednesday, Dec 1, 2010
We’ve written before about the security vulnerability that allows websites to sniff your browsing history. A paper from UC San Diego computer science department researchers, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications,” surveys which websites use this invasive technique against their users. YouPorn tops the list, but PerezHilton, Technorati, TheSun.co.uk, and Wired are also spying on their users’ browsing habits by exploiting this vulnerability.
http://www.reddit.com/r/AskReddit/comments/ej8zi/give_me_your_deepest_most_profound_quote_you_know/
Facebook news feeds beset with malware
One fifth of Facebook users are exposed to malware contained in their news feeds, claim security researchers.
Security firm BitDefender said it had detected infections contained in the news feeds of around 20% of Facebook users.
By clicking on infected links in a news feed, users risk having viruses installed on their computer.
Facebook said it already had steps in place to identify and remove malware-containing links.
BitDefender arrived at its figures by analysing data from 14,000 Facebook users that had installed a security app, called safego, it makes for the social network site.
In the month since safego launched, it has analysed 17 million Facebook posts, said BitDefender.
The majority of infections were associated with apps written by independent developers, which promised enticements and rewards to trick users into installing the malware, BitDefender said.
I hereby speculate that harddisks can use the spare remapping area to secretly make copies of your data. Rising totalitarianism makes this almost a certitude. It is quite straightforward to implement some simple filtering schemes that would copy potentially interesting data. Better, a harddisk can probably detect that a given file is being wiped, and silently make a copy of it, while wiping the original as instructed.
Recovering such data is probably easily done with secret IDE/SCSI commands. My guess is that there are agreements between harddisk manufacturers and government agencies. Well-funded mafia hackers should then be able to find those secret commands too.
Don’t trust your harddisk. Encrypt all your data.
Of course this shifts the trust to the computing system, the CPU, and so on. I guess there are also “traps” in the CPU and, in fact, in every sufficiently advanced mass-marketed chip. Wealthy nations can find those. Therefore these are mainly used for criminal investigation and “control of public dissent”.
People should better think of their computing devices as facilities lended by the DHS.
What is known is the extent to which Chinese hackers use “spear-phishing” as their preferred tactic to get inside otherwise forbidden networks. Compromised e-mail accounts are the easiest way to launch spear-phish because the hackers can send the messages to entire contact lists.
The tactic is so prevalent, and so successful, that “we have given up on the idea we can keep our networks pristine,” says Stewart Baker, a former senior cyber-security official at the U.S. Department of Homeland Security and National Security Agency. It’s safer, government and private experts say, to assume the worst – that any network is vulnerable.
Two former national security officials involved in cyber-investigations told Reuters that Chinese intelligence and military units, and affiliated private hacker groups, actively engage in “target development” for spear-phish attacks by combing the Internet for details about U.S. government and commercial employees’ job descriptions, networks of associates, and even the way they sign their e-mails – such as U.S. military personnel’s use of “V/R,” which stands for “Very Respectfully” or “Virtual Regards.”
The spear-phish are “the dominant attack vector. They work. They’re getting better. It’s just hard to stop,” says Gregory J. Rattray, a partner at cyber-security consulting firm Delta Risk and a former director for cyber-security on the National Security Council.
And future people do not give a damn about your shopping,
your Visa number SSL’d to Cherry-Popping
Hot Grampa Action websites that you visit,
nor password-protected partitions, no matter how illicit.
And this, it would seem, is your saving grace:
the amazing haste of people to forget your name, your face,
your litanous* list of indefensible indiscretions.
In fact, the only way that you could pray to make impression
on the era ahead is if, instead of being notable,
you make the data describing you undecodable
for script kiddies sifting in that relic called the internet
(seeking latches on treasure chests that they could wreck in seconds but didn’t yet
get a chance to cue up for disassembly)
to discover and crack the cover like a crème brûlée.
They’ll glance you over, I guess, and then for a bare moment
you’ll persist to exist; almost seems like you’re there, don’t it?
But you’re not. You’re here. Your name will fade as Front’s will,
‘less in the future they don’t know our cryptovariables still.
Cloud computing’s growing pains
Break-ins and breakdowns
The lessons from Sony’s big security lapse and Amazon’s cloud-computing outage
IT COULD turn out to be the biggest breach of data privacy since the advent of the internet. Sony admitted this week that hackers had stolen personal information, possibly including credit-card details, of many of the 77m-plus users of its online-gaming and entertainment networks. The Japanese company did not admit the full extent of the potential risks to its customers until nearly a week after it had taken its PlayStation Network off air, though it insisted that it had done so as soon as it realised how serious the intrusion into its systems had been.
Amazon, an American online retailer and provider of “cloud computing” services, has also suffered a lengthy breakdown at one of the giant server farms whose storage and processing facilities it rents to other companies. The two lapses, though unconnected and different in nature, have raised the question of whether customers can really trust the basic idea behind the cloud—that you can buy computing services from the internet, just like gas or water from a utility (see article).
Apple admits Mac scareware infections, promises cleaning tool
After taking heat for not helping users, Apple takes major step by owning up to security problems in Mac OS, says expert
Computerworld – Apple on Tuesday promised an update for Mac OS X that will find and delete the MacDefender fake security software, and warn still-unaffected users when they download the bogus program.
The announcement — part of a new support document that the company posted late Tuesday — was the company’s first public recognition of the threat posed by what security experts call “scareware” or “rogueware.”
“In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants,” Apple said in the document. “The update will also help protect users by providing an explicit warning if they download this malware.”
Apple also outlined steps that users with infected Macs can take to remove the scareware.
A lot of this is marketing — a combination of “we are invincible” and “be afraid, be very afraid.” But a lot of it is intended also to keep us locked-in to certain technologies. To this point most data security systems have been proprietary and secret. If an algorithm appears in public it escaped, was stolen, or reverse-engineered. Why should such architectural secrecy even be required if those 1024- or 2048-bit codes really would take a thousand years to crack? Isn’t the encryption, combined with a hard limit on login attempts, good enough?
Good question.
Alas, the answer is “no.” There are several reasons for this but the largest by far is that the U.S. government does not want us to have really secure networks. The government is more interested in snooping in on the rest of the world’s insecure networks. The U.S. consumer can take the occasional security hit, our spy chiefs rationalize, if it means our government can snoop global traffic.
This is National Security, remember, which means ethical and common sense rules are suspended without question.
RSA, Cisco, Microsoft and many other companies have allowed the U.S. government to breach their designs. Don’t blame the companies, though: if they didn’t play along in the U.S. they would go to jail. Build a really good 4096-bit AES key service and watch the Justice Department introduce themselves to you, too.
http://www.cringely.com/2011/06/when-engineers-lie/
Why it’s So Difficult to Trace Cyber-Attacks
I’ve been asked this question by countless reporters in the past couple of weeks. Here’s a good explanation. Shorter answer: it’s easy to spoof source destination, and it’s easy to hijack unsuspecting middlemen and use them as proxies.
No, mandating attribution won’t solve the problem. Any Internet design will necessarily include anonymity.
Hiding malware in smart batteries
Posted on July 22, 2011 by Cory Doctorow
Charlie Miller, a respected security researcher, has discovered vulnerabilities in the smart batteries for Apple laptops and mobile devices; he can manipulate their firmware to render them unusable or to cause them to misreport their remaining charge to the OS. The new firmware can survive an OS replacement, leading Miller to speculate that it could be used to store persistent malware that restored itself after the disk was erased and the OS was rewritten.
Researchers from Ruhr University Bochum demonstrated the insecurity of XML encryption standard at ACM Conference on Computer and Communications Security in Chicago this week. ‘Everything is insecure,’ is the uncomfortable message from Bochum. As pointed out by the Ars Technica article, XML Encryption is used widely as part of server-to-server Web services connections to transmit secure information mixed with non-sensitive data, based on cipher-block chaining. But it is apparently too weak, as demonstrated by Juraj Somorovsky and Tibor Jager. They were able to decrypt data by sending modified ciphertexts to the server by gathering information from the received error messages. The attack was tested against a popular open source implementation of XML Encryption, and against the implementations of companies that responded to the responsible disclosure — in all cases the result was the same: the attack worked. Fixing the vulnerability will require a revision of the W3C XML encryption standard, Somorovsky said. The researchers informed all possibly affected companies through the mailing list of W3C, following a clear responsible disclosure process.
This rule _definitely_ applies to cell phones.
The Hacker is Watching
Every online scam begins more or less the same—a random e-mail, a sketchy attachment. But every so often, a new type of hacker comes along. Someone who rewrites the rules, not just the code. He secretly burrows his way into your hard drive, then into your life. Is he following your every move?
By David Kushner
Photographs by Jason Madara
Milan,
As someone who covers IT security-related news, I thought you might be interested in today’s news from Passware, Inc., a provider of password recovery, decryption, and electronic evidence discovery software for computer forensics, law enforcement organizations, government agencies, and private investigators.
Passware warns consumer Mac users to vulnerabilities of Mac encryption solutions and notes that computer forensics experts can now easily decrypting Mac hard disks encrypted with FileVault.
With the release of this feature, Passware also announces that the new Passware Kit Forensic 11.3:
· recovers hashed passwords with Rainbow Tables
· extracts passwords from encrypted Mac keychain files
· builds a password list for its Dictionary attack based on the words detected in a computer memory
“Full disk encryption is becoming a major obstacle for digital investigations,” said Dmitry Sumin, president, Passware, Inc. “The latest version of Passware Kit Forensic offers multiple approaches to overcoming this problem, such as live memory analysis and extraction of encryption keys for BitLocker, TrueCrypt, and FileVault. This means forensic experts are better armed to approach investigative challenges with an effective and efficient solution that significantly reduces decryption time and thus allows investigators to focus on data analysis.”
To learn more, please see the release below. I am happy to arrange a briefing with Passware’s president if you would like even more detailed information.
Lauren Curley, for Passware
781 383 6406
lpcurley@comcast.net
Contact:
Nataly Koukoushkina
Passware Inc.
+1 (650) 472-3716 ext. 101
media@lostpassword.com
Passware Contributes to Mac Forensics by Decrypting FileVault; Warns Consumer Mac Users to Vulnerabilities of Mac Encryption Solutions
Full access to an encrypted Mac disk within minutes – new live memory analysis solution released by one of the leading eDiscovery software companies
Mountain View, Calif. (February 1, 2012) – Passware, Inc., a provider of password recovery, decryption, and electronic evidence discovery software for computer forensics, law enforcement organizations, government agencies and private investigators, announces Passware Kit Forensic v11.3, which builds upon the product’s capabilities to recover Mac OS user login passwords from computer memory (see July 26, 2011 press release) by decrypting Mac hard disks encrypted with FileVault.
Passware emphasizes the importance of Mac forensics (according to the recent statistics on Mac platforms sales) and ability to handling full disk encryption as an essential part of eDiscovery with the latest release of Passware for instant FileVault decryption. The solution includes live target memory acquisition over FireWire and subsequent recovery of a FileVault encryption key. Computer forensics can now easily gain a FileVault encryption key from the target computer memory, which provides full access to the encrypted Mac hard disk. The full process takes no more than 40 minutes – regardless of the length or complexity of the password.
“Full disk encryption is becoming a major obstacle for digital investigations,” said Dmitry Sumin, president, Passware, Inc. “The latest version of Passware Kit Forensic offers multiple approaches to overcoming this problem, such as live memory analysis and extraction of encryption keys for BitLocker, TrueCrypt, and FileVault. This means forensic experts are better armed to approach investigative challenges with an effective and efficient solution that significantly reduces decryption time and thus allows investigators to focus on data analysis.”
Latest Features and Vulnerability Alert to Casual Mac Users
With the release of this feature, Passware also announces that the new Passware Kit Forensic 11.3:
· recovers hashed passwords with Rainbow Tables
· extracts passwords from encrypted Mac keychain files
· builds a password list for its Dictionary attack based on the words detected in a computer memory
Supporting the solution’s ability to decrypt Mac hard disks encrypted with FileVault, other memory analysis options available with Passware Kit Forensic include decryption of TrueCrypt, BitLocker, and recovery of Mac user login passwords.
Having designed the latest features of Passware Kit Forensic for computer forensics, Passware alerts home users of the vulnerabilities of Mac encryption solutions and advises users to shut down their computers especially when working with confidential data. Sumin notes, “Live memory analysis opens up great possibilities to password recovery and decryption. Every user should be aware that even full disk encryption is insecure while the data rests in computer memory.”
Pricing and Availability
Passware Kit Forensic is available directly from Passware and a network of resellers worldwide. The price is $995 with one year of free updates. Additional product information and screen shots are available at http://www.lostpassword.com/kit-forensic.htm.
About Passware Inc.
Founded in 1998, Passware Inc. is the worldwide leading maker of password recovery, decryption, and electronic evidence discovery software. Law enforcement and government agencies, institutions, corporations and private investigators, help desk personnel, and thousands of private consumers rely on Passware software products to ensure data availability in the event of lost passwords. Passware customers include many Fortune 100 companies and various US federal and state agencies, such as IRS, US Army, US Department of Defense (DOD), US Department of Justice, US Department of Homeland Security, US Department of Transportation, US Postal Service, US Secret Service, US Senate, and US Supreme Court.
More information about Passware, Inc. is available at http://www.lostpassword.com/. Passware is a privately held corporation with headquarters in Mountain View, Calif. and a software development and engineering office in Moscow, Russia.
“It is becoming increasingly difficult for anyone, anyone at all, to keep a secret.
In the age of the leak and the blog, of evidence extraction and link discovery, truths will either out or be outed, later if not sooner. This is something I would bring to the attention of every diplomat, politician, and corporate leader: The future, eventually, will find you out. The future, wielding unimaginable tools of transparency, will have its way with you. In the end, you will be seen to have done that which you did.
I say ‘truths,’ however, and not ‘truth,’ as the other side of information’s new ubiquity can look not so much transparent as outright crazy. Regardless of the number and power of the tools used to extract patterns from information, any sense of meaning depends on context, with interpretation coming along in support of one agenda or another. A world of informational transparency will necessarily be one of deliriously multiple viewpoints, shot through with misinformation, disinformation, conspiracy theories and a quotidian degree of madness. We may be able to see what’s going on more quickly, but that doesn’t mean we’ll agree about it any more readily.”
Gibson, William. Distrust That Particular Flavor. p.170 (hardcover)
Chrome Hacked In 5 Minutes At Pwn2Own
“After offering a total prize fund of up to $1M for a successful Chrome hack, it seems Google got what it wanted (or not!). No more than 5 minutes into the Pwn2Own cracking contest team Vupen exploited 2 Chrome bugs to demonstrate a total break of Google’s browser. They will win at least 60k USD out of Google’s prize fund, as well as taking a strong option on winning the overall Pwn2Own prize. It also illustrates that Chrome’s much lauded sandboxing is not a silver bullet for browser security.”
“A group of U.S. federal cybersecurity experts recently said the Defense Department’s network is totally compromised by foreign spies. The experts suggest the agency simply accept that its networks are compromised and will probably remain that way, then come up with a way to protect data on infected machines and networks.”
“Forbes profiles Vupen, a French security firm that openly sells secret software exploits to spies and government agencies. Its customers pay a $100,000 annual fee simply for the privilege of paying extra fees for the exploits that Vupen’s hackers develop, which the company says can penetrate every major browser, as well as other targets like iOS, Android, Adobe Reader and Microsoft Word. Those individual fees often cost much more than that six-figure subscription, and Vupen sells them non-exclusively to play its customers off each other in an espionage arms race. The company’s CEO, Chaouki Bekrar, says Vupen only sells to NATO governments and ‘NATO partners’ but he admits ‘if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.’”
“Saturday’s electronic leadership vote for Canada’s New Democratic Party was plagued by delays caused by a botnet DDoS attack, coming from over 10,000 machines. Details are still scarce, but Scytl, who provided electronic voting services, will have to build more robust systems in the future in anticipation of such attacks. Party and company officials say an audit proved the systems and integrity of the vote were not compromised.”
Richard Clarke: All Major U.S. Firms Hacked By China
“Former White House cybersecurity advisor Richard Clarke says state-sanctioned Chinese hackers are stealing R&D from U.S. companies, threatening the long-term competitiveness of the nation. He said, ‘The U.S. government is involved in espionage against other governments. There’s a big difference, however, between the kind of cyberespionage the United States government does and China. The U.S. government doesn’t hack its way into Airbus and give Airbus the secrets to Boeing [many believe that Chinese hackers gave Boeing secrets to Airbus]. We don’t hack our way into a Chinese computer company like Huawei and provide the secrets of Huawei technology to their American competitor Cisco. [He believes Microsoft, too, was a victim of a Chinese cyber con game.] We don’t do that. … We hack our way into foreign governments and collect the information off their networks. The same kind of information a CIA agent in the old days would try to buy from a spy. … Diplomatic, military stuff but not commercial competitor stuff.’”
Hacker group LulzSec says it has attacked MilitarySingles.com
LulzSec appears to be back after many months of lying low. It says it has obtained email addresses and other data about nearly 171,000 users of MilitarySingles.com, a commercial dating site.
A nice piece of frightening securityspeak to conjure with: forever-day bugs, which are known bugs that the vendor has no intention of patching. These are often found in control systems, and are the sort of thing that Stuxnet exploited to attack the Iranian nuclear program. These controllers are also found on other kinds of industrial lines and, of course, in aircraft. “Forever day is a play on ‘zero day,’ a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or ‘infinite days’ by some researchers…” [Ars Technica]
Occupy Wall Street (@OccupyWallStNYC
)
19/04/2012 19:39
FBI seizes riseup.net server. #Anonymous #OWS #FBI help.riseup.net/en/seizure-201…
FBI: We Need Wiretap-Ready Web Sites — Now
TheGift73 writes with news that the FBI is pushing a proposal to update old wiretap legislation so that modern web firms would be forced to build in backdoors to facilitate government surveillance. Quoting CNET: “In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned. The FBI general counsel’s office has drafted a proposed law that the bureau claims is the best solution: requiring that social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail alter their code to ensure their products are wiretap-friendly. … The FBI’s proposal would amend a 1994 law, called the Communications Assistance for Law Enforcement Act, or CALEA, that currently applies only to telecommunications providers, not Web companies. The Federal Communications Commission extended CALEA in 2004 to apply to broadband networks.”
Everyone Has Been Hacked. Now What?
The attackers chose their moment well.
On Apr. 7, 2011, five days before Microsoft patched a critical zero-day vulnerability in Internet Explorer that had been publicly disclosed three months earlier on a security mailing list, unknown attackers launched a spear-phishing attack against workers at the Oak Ridge National Laboratory in Tennessee.
The lab, which is funded by the U.S. Department of Energy, conducts classified and unclassified energy and national security work for the federal government.
The e-mail, purporting to come from the lab’s human resources department, went to about 530 workers, or 11 percent of the lab’s workforce.
The cleverly crafted missive included a link to a malicious webpage, where workers could get information about employee benefits. But instead of getting facts about a health plan or retirement fund, workers who visited the site using Internet Explorer got bit with malicious code that downloaded silently to their machines.
Although the lab detected the spear-phishing attack soon after it began, administrators weren’t quick enough to stop 57 workers from clicking on the malicious link. Luckily, only two employee machines were infected with the code. But that was enough for the intruders to get onto the lab’s network and begin siphoning data. Four days after the e-mails arrived, administrators spotted suspicious traffic leaving a server.
Only a few megabytes of stolen data got out, but other servers soon lit up with malicious activity. So administrators took the drastic step of severing all the lab’s computers from the internet while they investigated.
As more research unfolds about the recently discovered Flame malware, researchers have found three modules – named Snack, Gadget and Munch – that are used to launch what is essentially a man-in-the-middle attack against other computers on a network. As a result, Kaspersky researchers say when a machine attempts to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake malicious Windows Update to the client. That is courtesy of a rogue Microsoft certificate that chains to the Microsoft Root Authority and improperly allows code signing. According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing. The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how.” And an anonymous reader adds a note that Flame’s infrastructure is massive: “over 80 different C&C domains, pointed to over 18 IP addresses located in Switzerland, Germany, the Netherlands, Hong Kong, Poland, the UK, and other countries.
http://it.slashdot.org/story/12/06/05/1638228/flame-malware-hijacks-windows-update
Crypto breakthrough shows Flame was designed by world-class scientists
The spy malware achieved an attack unlike any cryptographers have seen before.
The Flame espionage malware that infected computers in Iran achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers, two of the world’s foremost cryptography experts said.
“We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack,” Marc Stevens and B.M.M. de Weger wrote in an e-mail posted to a cryptography discussion group earlier this week. “The collision attack itself is very interesting from a scientific viewpoint, and there are already some practical implications.”
“Collision” attacks, in which two different sources of plaintext generate identical cryptographic hashes, have long been theorized. But it wasn’t until late 2008 that a team of researchers made one truly practical. By using a bank of 200 PlayStation 3 consoles to find collisions in the MD5 algorithm—and exploiting weaknesses in the way secure sockets layer certificates were issued—they constructed a rogue certificate authority that was trusted by all major browsers and operating systems. Stevens, from the Centrum Wiskunde & Informatica in Amsterdam, and de Wegwer, of the Technische Universiteit Eindhoven were two of the driving forces behind the research that made it possible.
Flame is the first known example of an MD5 collision attack being used maliciously in a real-world environment. It wielded the esoteric technique to digitally sign malicious code with a fraudulent certificate that appeared to originate with Microsoft. By deploying fake servers on networks that hosted machines already infected by Flame—and using the certificates to sign Flame modules—the malware was able to hijack the Windows Update mechanism Microsoft uses to distribute patches to hundreds of millions of customers.
Web Exploit Found That Customizes Attack For Windows, Mac, and Linux
“The U.S. Computer Emergency Readiness Team (US-CERT) has disclosed a flaw in Intel chips that could allow hackers to gain control of Windows and other operating systems, security experts say. The flaw was disclosed the vulnerability in a security advisory released this week. Hackers could exploit the flaw to execute malicious code with kernel privileges, said a report in the Bitdefender blog. ‘Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack,’ the US-CERT advisory says. ‘The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.’”
http://it.slashdot.org/story/12/06/16/0356209/us-cert-discloses-security-flaw-in-64-bit-intel-chips
—
The popular Blackhole exploit kit, assumed to be created and maintained by an individual going by the online moniker of ‘Paunch,’ who continuously updates the browser exploit software, looks like it has just received another upgrade. The exploit works by infecting a user when they visit a Blackhole-infected site, and their browser runs the JavaScript code, usually via a hidden iframe. If the location or URL for the malicious iframe changes or is taken down, all of the compromised sites will have to be updated to point to this new location, making it hard for the attackers. To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains, based on the date and other information, and then creates an iframe pointing to the generated domain. Moreover, the kit’s recent upgrade also added a new attack. According to Sophos, sometime in early June Blackhole was updated to include an attack that targets a flaw in Microsoft’s XML Core Services, which remains unpatched. Unfortunately, the changes prove once again that the criminal economy online is alive and well.
http://it.slashdot.org/story/12/07/03/1315230/blackhole-exploit-kit-gets-an-upgrade
—
“Security researchers have come across a worm that is meant specifically to steal blueprints, design documents and other files created with the AutoCAD software. The worm, known as ACAD/Medre.A, is spreading through infected AutoCAD templates and is sending tens of thousands of stolen documents to email addresses in China. However, experts say that the worm’s infection rates are dropping at this point and it doesn’t seem to be part of a targeted attack campaign. … [They] discovered that not only was the worm highly customized and well-constructed, it seemed to be targeting mostly machines in Peru for some reason. … They found that ACAD/Medre.A was written in AutoLISP, a specialized version of the LISP scripting language that’s used in AutoCAD.”
http://it.slashdot.org/story/12/06/25/2323259/autocad-worm-medrea-stealing-designs-blueprints
—
Serious Web Vulnerabilities Dropped In 2011
“It’s refreshing to see a security report from a security vendor that isn’t all doom-and-gloom and loaded with FUD. Web Application Security firm WhiteHat Security released a report this week (PDF) showing that the number of major vulnerabilities has fallen dramatically. Based on the raw data gathered from scans of over 7,000 sites, there were only 79 substantial vulnerabilities discovered on average in 2011. To compare, there were 230 vulnerabilities on average discovered in 2010, 480 in 2009, 795 in 2008, and 1,111 in 2007. As for the types of flaws discovered, Cross-Site Scripting (XSS) remained the number one problem, followed by Information Leakage, Content Spoofing, Insufficient Authorization, and Cross-Site Request Forgery (CSRF) flaws. SQL Injection, an oft-mentioned attack vector online – was eighth on the top ten.”
http://it.slashdot.org/story/12/06/30/1940218/serious-web-vulnerabilities-dropped-in-2011
—
Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. ‘What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.’ Why weren’t Flame, Stuxnet, and Duqu detected earlier? The answer isn’t encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren’t meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. ‘The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets,’ writes Hypponen, adding that it’s highly likely there are other similar attacks already underway that we haven’t detected yet because simply put, attacks like these work. ‘Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.
Our applications host a variety of web content on behalf of our users, and over the years we learned that even something as simple as serving a profile image can be surprisingly fraught with pitfalls. Today, we wanted to share some of our findings about content hosting, along with the approaches we developed to mitigate the risks.
Historically, all browsers and browser plugins were designed simply to excel at displaying several common types of web content, and to be tolerant of any mistakes made by website owners. In the days of static HTML and simple web applications, giving the owner of the domain authoritative control over how the content is displayed wasn’t of any importance.
It wasn’t until the mid-2000s that we started to notice a problem: a clever attacker could manipulate the browser into interpreting seemingly harmless images or text documents as HTML, Java, or Flash—thus gaining the ability to execute malicious scripts in the security context of the application displaying these documents (essentially, a cross-site scripting flaw). For all the increasingly sensitive web applications, this was very bad news.
During the past few years, modern browsers began to improve. For example, the browser vendors limited the amount of second-guessing performed on text documents, certain types of images, and unknown MIME types. However, there are many standards-enshrined design decisions—such as ignoring MIME information on any content loaded through , , or —that are much more difficult to fix; these practices may lead to vulnerabilities similar to the GIFAR bug.
Google’s security team played an active role in investigating and remediating many content sniffing vulnerabilities during this period. In fact, many of the enforcement proposals were first prototyped in Chrome. Even still, the overall progress is slow; for every resolved problem, researchers discover a previously unknown flaw in another browser mechanism. Two recent examples are the Byte Order Mark (BOM) vulnerability reported to us by Masato Kinugawa, or the MHTML attacks that we have seen happening in the wild.
When Networks Network
Once studied solo, systems display surprising behavior when they interact
How crooks turn even crappy hacked PCs into money
“A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites.”
DON’T MESS UP It is hard to pull off one of these steps, let alone all of them all the time. It takes just one mistake — forgetting to use Tor, leaving your encryption keys where someone can find them, connecting to an airport Wi-Fi just once — to ruin you.
“Robust tools for privacy and anonymity exist, but they are not integrated in a way that makes them easy to use,” Mr. Blaze warned. “We’ve all made the mistake of accidentally hitting ‘Reply All.’ Well, if you’re trying to hide your e-mails or account or I.P. address, there are a thousand other mistakes you can make.”
In the end, Mr. Kaminsky noted, if the F.B.I. is after your e-mails, it will find a way to read them. In that case, any attempt to stand in its way may just lull you into a false sense of security.
Some people think that if something is difficult to do, “it has security benefits, but that’s all fake — everything is logged,” said Mr. Kaminsky. “The reality is if you don’t want something to show up on the front page of The New York Times, then don’t say it.”
This could be useful, and could do a little bit to help reverse the tide of malicious activity on the web:
Hosting provider Antagonist automatically fixes vulnerabilities in customers’ websites
It’s very challenging for ordinary website operators to make their sites secure, and to deal with the consequences of security breaches.
Hacker’s ad for a Yahoo email-stealing exploit, up for sale at $700
Your Cisco phone is listening to you: 29C3 talk on breaking Cisco phones
Here’s a video of Ang Cui and Michael Costello’s Hacking Cisco Phones talk at the 29th Chaos Communications Congress in Hamburg. Cui gave a show-stealing talk last year on hacking HP printers, showing that he could turn your printer into a inside-the-firewall spy that systematically breaks vulnerable machines on your network, just by getting you to print out a document.
Cui’s HP talk showed how HP had relied upon the idea that no one would ever want to hack a printer as its primary security. With Cisco, he’s looking at a device that was designed with security in mind. The means by which he broke the phone’s security is much more clever, and makes a fascinating case-study into the cat-and-mouse of system security.
The threat of browser-based data breaches is growing. The number of vulnerabilities in browser plugins is on the rise. Now is the time to be proactive about the security of your web browser.
Qualys BrowserCheck is a cloud service that scans your browsers and plugins to see if they’re all up-to-date. It’s an “online checkup” that relieves you from having to manually chase the constantly-shifting landscape of patches and updates to determine what you should be using. BrowserCheck identifies which browsers and plugins are used on your computer and whether newer versions have been released by vendors. On PCs running Microsoft Windows XP or later, BrowserCheck can also verify that important OS settings are enabled and Windows security updates are being received.
Fuzz testing
From Wikipedia, the free encyclopedia
Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.
“The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks,” reports Brian Krebs. The paper’s statement on the matter is a model of how not to handle security clusterfucks.
Passware Inc. is a forensics security company that develops investigation software kits to reveal passwords on seized computers. Last year it released a version of its kit that allows an investigator to reveal the passwords of Apple’s FileVault encryption technology, along with those for similar technologies such as TrueCrypt, PGP Disk, and BitLocker. Recently the kit has gained more features and now has the ability to snoop through a system’s hibernation file for Google and Facebook account passwords.
The Passware snooping technology works by accessing a system’s memory either through a port that has direct memory access (DMA), or by accessing a system’s sleepimage (hibernation) files. It scans the contents of these resources for patterns to reveal relevant passwords.
In many ways, the attacks resembled those criminal groups and spammers deploy against individuals and businesses. A “spearphishing” e-mail is sent, which attempts to get members of an organisation to open an attachment that appears to originate from a colleague or business partner, and contains some typical business data. Rather than a file, though, the attachment is a piece of malware. When opened, it exploits system flaws to install backdoor access to the computer. This allows remote command-and-control servers anywhere on the internet to install additional software, capture keystrokes and images on the screen, and ferret around the local network.
Mandiant says the hackers sometimes used malicious remote-access toolkits readily available on the “dark side” of the internet (if not through your average Google search). But mostly they either developed or acquired at least 42 “families” of proprietary remote-access tools. Some have dates imprinted in them which indicate they were initially programmed as early as 2004, with updates added over the subsequent six years. The attacks, in other words, were carefully planned and premeditated.
To fool firewalls and other software, some remote-control malware mimicked traffic patterns of legitimate internet services, like the Jabber/XMPP chat system used by Google and Facebook, among others. This allowed them to send information to and from the infected machines without raising suspicions. A lot of the insidious traffic was encrypted, but this too is commonplace for many websites and services, including Twitter and standard e-mail.
APT1 tried hard to retrieve password-related information, often using common cracking tools. Before being stored a password is usually fed into an algorithm called a hash function. This converts it into an obscure string of symbols, or a “hash”, that offers no clue as to the original input. The function is irreversible, so you cannot work back from a hash to the password. You can, however, run different words through a hash function and compare the resulting hash with the one stored. Many such “brute-force” attacks use large dictionaries of common and less common passwords. As a number of companies discovered last year, poor passwords make for easy pickings. Some clever tools actually let an attacker log into a system using the encrypted form of a password, dispensing with the need to crack it.
Nate Anderson’s long Ars Technica piece on RATters — men who use “Remote Administration Tools” to spy on others, mostly women, via their laptop cameras, and to plunder their computers for files and passwords — is a must-read. Anderson lays out the way that online communities like Hack Forums provide expertise, tools, and, most importantly, validation for the men who participate in this “game.” Anderson explains the power of software like DarkComet, which allows for near-total control of compromised computers (everything from opening the CD trays to disabling the Start menu in Windows); the dehumanizing language used by Ratters (they call their victims “slaves”); and the way that these tools have found their way into the arsenals of totalitarian governments, like the Assad regime in Syria, which used these tools to spy on rebels.
Today, a cottage industry exists to build sophisticated RAT tools with names like DarkComet and BlackShades and to install and administer them on dozens or even hundreds of remote computers. When anti-malware vendors began to detect and clean these programs from infected computers, the RAT community built “crypters” to disguise the target code further. Today, serious ratters seek software that is currently “FUD”—fully undetectable.
Building an army of slaves isn’t particularly complicated; ratters simply need to trick their targets into running a file. This is commonly done by seeding file-sharing networks with infected files and naming them after popular songs or movies, or through even more creative methods. “I seem to get a lot of female slaves by spreading Sims 3 with a [RAT] server on torrent sites,” wrote one poster. Another turned to social media, where “I’ve been able to message random hot girls on facebook (0 mutual friends) and infect (usually become friends with them too); with the right words anything is possible.”
HER hopes of joining a Romney administration now vanished, Nikki Haley, the Republican governor of South Carolina, is expected to announce next summer that she will seek a second term in 2014. But her chances may be crippled by the fact that, in October the news broke that an international computer hacker had stolen from the South Carolina Department of Revenue’s data base the tax records of every South Carolinian who has filed a state tax return online since 1998—3.8m individuals and almost 700,000 businesses. It is believed to be the largest cyber-attack against a state tax agency in America’s history, and it went on for ten days after detection before the intruder’s access could be blocked.
Monitor
An internet of airborne things
Networking: Enthusiasts dream of building a drone-powered internet to carry objects rather than data. Are they mad?
Microsoft sees all your HTTPS links in Skype, and you didn’t know
{ 3 trackbacks }